Data protection is about to get its biggest overhaul for two decades. But how will the General Data Protection Regulation (GDPR) affect leisure operators?

Q1 What exactly is the GDPR? It’s new European legislation, coming into force on 25th May. It will give EU citizens new rights over how their personal data is collected and stored, and will affect all UK businesses that routinely hold or process personal data.

Q2 Why’s it being implemented? We all rely on smartphones, computers, the internet and social media, which accumulate data with every click and tap. “The sheer volume of data created and collected now makes the GDPR essential for the technology- rich environment we live in,” explains Chris Phillips, head of sales at 4 Global, which runs the DataHub, a data sharing community for the sport and leisure sector. “The Data Protection Act of 1998 is out of date; it’s simply not geared up for today’s data-driven society.”

Q3 Why should I care? “The initial response to this is often you can’t afford not to, as financial penalties will be high,” says 4 Global’s director of sports intelligence, Utku Toprakseven. “And yes, if you

fail to comply, fines will be eye-watering – in some cases, four per cent of annual global turnover or €20m, whichever is higher. “But embracing the GDPR has greater

benefits. Data drives everything so, rather than seeing the GDPR as something to catch you out, think about it through your customers’ eyes. If you’re keeping their data safe, respecting their wishes on how it’s used, they’ll know you respect them. Ultimately, customers who feel they can trust you will be loyal.”

Q4 This is all new to me… surely I should have heard more about it? Research by Symantec found 96 per cent of companies still don’t understand the GDPR. It would seem a deluge of blogs and articles has still not triggered the required action, with many adopting a ‘wait and see’ approach. “Whether GDPR is new to you or not, if you’ve yet to start ensuring you’re compliant, you need to get cracking!” says Phillips. Begin with a data map, detailing where your

data is held – be that on paper, in filing cabinets or on CRM systems. “Establish why

you have data, where and how it’s stored, why you’re keeping it and for how long,” advises Sue Powell, GDPR team lead at Gladstone. “The days of just collecting data and keeping it forever are gone. All leisure operators will need positive policies about what they’re keeping and why.”

Q5 Which bits of the regulation affect leisure? The definition of ‘personal data’ has expanded significantly. Online identifiers – such as IP addresses and cookies – will now count as personal data. Special Category Sensitive Personal Data, which refers to things like political opinions or religious beliefs, will also include genetic and biometric data, such as any data collected to measure athletic performance or health. “Marketing consent is getting a shake-up that’ll

affect all operators,” says Phillips. “The key will be transparency. In order to send marketing materials you’ll now need unambiguous, opted- in permission from the individuals concerned. You won’t be allowed to assume or force consent